1. Field of the Invention
The present invention relates to a security system and method for use in a network. More particularly, the present invention relates to a security system and method for use in a network for providing a real-time stream that can provide an Internet Protocol security (IPsec) algorithm for service & content protection between a server and receiver terminals for IP-based data streaming services, Convergence of Broadcast and Mobile Services (CBMS), Open Air Interface (OAI), and mobile BroadCAST services enabler suite (BCAST) in Digital Video Broadcasting for Handheld (DVB-H) serving as an European IP DataCast (IPDC) standard.
2. Description of the Related Art
IPsec is a protocol for connecting a remote host and a network using a security tunnel on a public network such as the Internet.
In order to safely connect a system between hosts or networks, Internet Key Exchange (IKE) protocol, implemented by the Internet Engineering Task Force (IETF), is used for mutual authentication.
An IPsec connection is divided into two logical phases as illustrated in FIG. 1.
FIG. 1 is a signal flow diagram illustrating a security processing operation in a conventional network for providing a real-time stream.
Referring to FIG. 1, in the first phase (Phase 1), a terminal or responder 20 initializes a connection with an IPsec server or initiator 10.
The initiator 10 then exchanges a cipher, mode information, and a Diffie-Hellman public value to be used through IKE/IKE version 2 (IKEv2) protocol, which serves as a key management protocol for key encryption, after reading security information of the responder requesting the connection.
In the second phase (Phase 2), Security Association (SA) is established for bidirectional authentication between IPsec connection nodes.
Next, an SA database containing setting information of a secret session-key exchange parameter and cryptography is organized. In practice, the IPsec connection between the responder 20 and the initiator 10 is managed. After the IPsec connection is established in the above-described phases, data can be securely transmitted and received.
However, in order to maintain a high-level security in DVB-H CBMS, OAI, and BCAST services and data streaming services, the SA is frequently varied.
Since a data distributor server performs an IPsec encryption operation for content & service in real time, the SA is negotiated in a new IPsec connection.
The first phase is achieved by a pre-negotiation procedure without use of the IKE. In the CBMS specification based on DVB-H, a key is managed in a Conditional Access System (CAS) solution or Digital Rights Management (DRM) profile. In the OAI specification, a key is managed in a DRM profile.
In the second phase, the SA of the responder 20 is updated by a periodic stream notification of the initiator 10.
Even when a key part length and value are varied in the SA, the responder 20 continuously generates and deletes the SA, which is inefficient and necessitates management of SA resources.
Synchronization of SA to be used for a content stream received in real time and SA to be generated in real time is needed. If no optimum synchronization method is provided, resources may be wasted by checking all generated SAs.